Service – Session Manager (Smss)
The session manager (% SystemRoot% \ System32 \ Smss.exe) is the first user-mode process created on the system. This process is created by a kernel-mode system thread that performs the final phase of initialization of the runtime and kernel Service.
When Smss starts, it checks to see if there is a first instance of it (the Smss master) or its own instance started by the Smss master to create a session. (With command line arguments, this will be the last instance.) By creating multiple instances of itself at boot time and creating a Terminal Services session, Smss can create multiple sessions at the same time (maximum four current sessions, four concurrent sessions, plus one more for each additional CPU except for the first).
This feature improves logon performance on Terminal Services systems when multiple users are connected at the same time. When the session initialization completes, the Smss copy exits. As a result, only the original Smss.exe process remains active.
The Smss host Service performs the following one-time initialization steps:
- Marks the process and source thread as critical. (If a process or thread that is marked as critical terminates for some reason, Windows crashes.
- Raises the base priority of the process to 11.
- If the system supports processor hot add, enables automatic update of processor affinity so that new sessions can take advantage of the new processors when a new processor is added.
- Creates named pipes and mailslots used for communication between Smss, Csrss, and Lsm (discussed later).
- Generate an ALPC port for receiving commands.
- Creates system-wide environment environment variables defined under HKLM \ SYSTEM \ CurrentControlSet \ Control \ SessionManager \ Environment.
- produce symbolic links for devices defined under HKLM \ SYSTEM \ CurrentControlSet \ Control \ SessionManager \ DOSDevices under the \ Global ?? in the object manager namespace.
- Creates the \ Sessions root directory in the object manager namespace.
- Launches the programs listed under HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ BootExecute. (By default, Autochk.exe is listed there, which checks the disk.)
- Performs a pending file transfer specified in the HKLM \ SYSTEM \ CurrentControlSet \ Control \ SessionManager \ PendingFileRenameOperations section.
- Initializes the swap file (s).
- Initializes the rest of the registry (HKLM Software, SAM, and Security keys).
- Launches the programs specified under HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SetupExecute.
- Opens known DLLs (HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ KnownDLLs) and displays them as persistent sections (mapped files).
- Makes a thread responsible for handling session creation requests.
- Creates a Smss to initialize session 0 (non-interactive session).
- Makes a Smss to initialize session 1 (interactive session). When these steps are complete, Smss goes into constant wait for a handle to a null session Csrss.exe instance. Since Csrss is labeled critical, if Csrss exits, this wait due to a system crash never ends.
The Smss instance that starts the session does the following:
- Calls the NtSetSystemInformation function to request to create a kernel-mode session data structure. This, in turn, calls the internal function of the memory manager MmSessionCreate, which sets up the virtual session address space, which will contain the non-resident session pool and the data structure of this session, allocated by the part of the Windows subsystem that runs in kernel mode (Win32k.sys), and others session-space device drivers.
- Creates a subsystem process (s) for the session (by default, Windows Subsystem Csrss.exe).
- Creates an instance of Winlogon (for interactive sessions) or Wininit (for session 0). More information on these two processes will be given below.
Then this intermediate Smss process exits (after which the subsystem processes remain, and the Winlogon or Wininit process remains as a process that does not have a parent process).
Local Session Manager (Lsm.exe)
The Local Session Manager (Lsm.exe) manages the state of Terminal Services sessions on the local machine. It sends requests to Smss to start new sessions (for example, to create Csrss and Winlogon processes) via the ALPC port of the SmSsWinStationApiPort, as if the user selects Switch User in Explorer. Lsm also supports communication with Winlogon and Csrss (using local system RPC).
It informs Csrss about events such as connecting, disconnecting, terminating, and sending a system message. He receives notification from Win logon about the following events:
- Entrance and exit.
- Starting and stopping the shell.
- Connection to the session.
- Disconnect from the session.
- Install or unlock the desktop.
Experiment: Viewing the details of a service in its processes.
Process Explorer highlights host processes from one or more services. The highlighting property can be configured by choosing “Configure Colors” from the “Options” menu. If you double-click on the process host name of one or more services, in the Services tab, you can see a list of services in the process, the name of the registry entry in which the service is defined, the display name that the administrator sees, the service description text (if any available) and for Svchost services, the path to the DLL that implements the service.
For example, the list of services in the Svchost.exe process running under the System account looks like this.
Service Control Manager (SCM)
Recall that previously a “service” in Windows meant either a server process or a device driver. In this section, services are referred to as user-mode processes. Services are similar to UNIX “daemon processes” or VMS “standalone processes” in that they can be configured to start automatically at system boot without requiring an interactive login.
They can also be started manually (for example, by starting the Services administrative tool or by calling the Windows function StartService). Typically, services do not interact with users who are logged in, although there are special conditions that enable this.
The Service Control Manager is a special system process that runs the% SystemRoot% \ System32 \ Services.exe image, and is responsible for starting, stopping, and interacting with service processes.
Service programs are actually Windows images that call specific Windows functions to interact with the Service Control Manager to perform actions such as registering a successful service start, responding to requests for its status, or pausing or stopping a service. Services are defined in the registry under HKLM \ SYSTEM \ CurrentControlSet \ Services.
Note that services have three names: the name of the process that appears to be running on the system, the internal name in the registry, and the name that appears in the Services administration tool. Not all services have a display name.
If the service does not have a display name, then its internal name is displayed.
On Windows, services can also have a description field that gives a deeper understanding of what a service is doing.
To map a service process to a service contained in that process, use the tlist / s command or the tasklist / svc command. It should be noted that there is not always a one-to-one correspondence between service processes and running services, because some services share a process with other services. The type code found in the registry indicates whether the service is running in its own process or shares a process with the rest of the image services.
Several Windows components are implemented as services. These include Print Manager, Event Log, Job Scheduler, and various network components.
Experiment: Listing installed services.
Fordisplay a list of installed services, select Administrative Tools from the Control Panel, and then select Services. The result should be information similar to the following:
To see the detailed properties of a service, right-click on the service name and select Properties. For example, the following figure shows the properties of a service named Print Manager.
Note that the Executable field shows the program that contains this service. Keep in mind that some services share a process with other services, so it is not always possible to unambiguously map a service to a process.